Efficient computation of pairings on Jacobi quartic

Efficient computation of pairings on Jacobi quartic elliptic curves Sylvain Duquesne, Nadia El Mrabet, Emmanuel Fouotsa

To cite this version: Sylvain Duquesne, Nadia El Mrabet, Emmanuel Fouotsa. Efficient computation of pairings on Jacobi quartic elliptic curves. Journal of Mathematical Cryptology, Walter de Gruyter, 2014, 8 (4), pp.331-362. .

HAL Id: hal-01095359 https://hal.archives-ouvertes.fr/hal-01095359 Submitted on 17 Dec 2014

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destin´ee au d´epˆot et `a la diffusion de documents scientifiques de niveau recherche, publi´es ou non, ´emanant des ´etablissements d’enseignement et de recherche fran¸cais ou ´etrangers, des laboratoires publics ou priv´es.

J. Math. Cryptol., Ahead of Print DOI 10.1515 / jmc-2013-0033

© de Gruyter 2014

Efficient computation of pairings on Jacobi quartic elliptic curves Sylvain Duquesne, Nadia El Mrabet and Emmanuel Fouotsa Communicated by Neal Koblitz

Abstract. This paper proposes the computation of the Tate pairing, Ate pairing and its variations on the special Jacobi quartic elliptic curve Y 2 D dX 4 C Z 4 . We improve the doubling and addition steps in Miller’s algorithm to compute the Tate pairing. We use the birational equivalence between Jacobi quartic curves and Weierstrass curves, together with a specific point representation to obtain the best result to date among curves with quartic twists. For the doubling and addition steps in Miller’s algorithm for the computation of the Tate pairing, we obtain a theoretical gain up to 27% and 39%, depending on the embedding degree and the extension field arithmetic, with respect to Weierstrass curves and previous results on Jacobi quartic curves. Furthermore and for the first time, we compute and implement Ate, twisted Ate and optimal pairings on the Jacobi quartic curves. Our results are up to 27% more efficient compared to the case of Weierstrass curves with quartic twists. Keywords. Jacobi quartic curves, Tate pairing, Ate pairing, twists, Miller function. 2010 Mathematics Subject Classification. 14H52.

1

Introduction

Bilinear pairings were first used to solve the discrete logarithm problem on elliptic curve groups [14, 24]. But they are now useful to construct many public key protocols for which no other efficient implementation is known [5, 21]. A survey of some of these protocols can be found in [12]. The efficient computation of pairings depends on the model chosen for the elliptic curve. Pairing computation on the Edwards model of elliptic curves has been done successively in [9], [20] and [1]. The recent results on pairing computation using elliptic curves of Weierstrass form can be found in [7, 8]. Recently in [30], Wang et al. have computed the Tate pairing on Jacobi quartic elliptic curves using the geometric interpretation of the This work was supported in part by French ANR project no. 12-BS01-0010-01 “PEACE”, INS 2012 SIMPATIC project and LIRIMA 2013 MACISA project. This work is an improved and extended version of [10].

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

2

S. Duquesne, N. El Mrabet and E. Fouotsa

group law. An earlier work in the same direction as the previous one is done by Kaondera in [22]. Kaondera’s work appears to be the first that tried to completely describe the geometric interpretation of the group law on Jacobi curves. But that work lacks some codes or an implementation for the verification of the correctness of the formulas obtained. In the present paper, we focus on the special Jacobi quartic elliptic curve Y 2 D dX 4 C Z 4 over fields of large characteristic p  5 not congruent to 3 modulo 4. For pairing computation with embedding degree divisible by 4, we define and use the quartic twist of the curve Y 2 D dX 4 C Z 4 . Our results improve those obtained by Wang et al. in [30] and they are more efficient than those concerning the Tate pairing computation in Weierstrass elliptic curves [8]. Furthermore, the Miller algorithm is the main tool in the Tate pairing computation, and its efficiency has been successfully improved in the last years leading to other pairings: 

The Eta-pairing [3] on supersingular elliptic curves.



Ate and twisted Ate pairings introduced in [18] that are closely related to the Eta-pairing, but can be used efficiently with ordinary elliptic curves. These pairings can be more efficient than the Tate pairing, essentially due to the reduction of the number of iterations in the Miller algorithm.



Vercauteren [29] and Hess [17] generalize the method with the notion of optimal pairings and pairing lattices that can be computed using the smallest number of basic Miller iterations.

The computation of these different pairings has been done by Costello et al. [8] in the case of Weierstrass curves. As a second contribution of this work, we extend the results on the special Jacobi quartic in [10] to the computation of the Ate pairing and its variations. We show that among known curves with quartic twists, the Jacobi model Y 2 D dX 4 C Z 4 offers the best performances for all these different pairings. The rest of this paper is organized as follows. Section 2 provides a background on the Jacobi elliptic curve and notions on pairings that are useful in the paper. In Section 3, we present the computation of the Tate pairing on the Jacobi quartic curve mentioned above using birational equivalence and we compare our results to others in the literature. In Section 4, we determine the Miller function and rewrite the addition formulas for the Ate pairing. We also provide a comparative study of these pairings on the curves in Jacobi and Weierstrass forms. In Section 5 we provide an example of a pairing friendly curve of embedding degree 8. An implementation of the Tate, Ate and optimal Ate pairings based on this example

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

3

Efficient computation of pairings on Jacobi quartic elliptic curves

has been done using the Magma computer algebra system. This enables us to verify all the formulas given in this paper. Finally, we conclude in Section 6. The following notations are used in this work. Fq : A finite field of characteristic p  5, not congruent to 3 modulo 4. mk , sk : Cost of multiplication and squaring in the field Fq k for any integer k. mc: Cost of the multiplication by a constant in Fq .

2

Background on pairings and on Jacobi elliptic curves

In this section, we briefly review pairings on elliptic curves and the Jacobi quartic curves. We also define twists of Jacobi’s curves. 2.1

The Jacobi quartic curve

A Jacobi quartic elliptic curve over a finite field Fq is defined by Ed; W y 2 D dx 4 C 2x 2 C 1 with discriminant  D 256d.2 d /2 ¤ 0. In [4], Billet and Joye proved that if the Weierstrass curve E W y 2 D x 3 C ax C b has a rational point of order 2 denoted .; 0/, then it is birationally equivalent to the Jacobi quartic Ed; with d D .3 2 C 4a/=16 and  D 3=4. In the remainder of this paper, we will focus our interest on the special Jacobi quartic curve Ed;0 W y 2 D dx 4 C 1 because this curve has interesting properties such as a quartic twist which will contribute to an efficient computation of pairings. The addition and doubling formulas on Ed;0 are deduced from [19]. The point addition .x3 ; y3 / D .x1 ; y1 / C .x2 ; y2 / is given by x3 D

x12 x1 y2

x22 ; y1 x2

y3 D

.x1 .x1 y2

x2 /2 .y1 y2 C 1 C dx12 x22 / y1 x2 /2

The point doubling .x3 ; y3 / D 2.x1 ; y1 / on Ed;0 is given by  2y1 2y1  2y1 x3 D x ; y D y 1 3 1 2 y12 2 y12 2 y12

1:

1:

The birational equivalence, deduced from [4], between the Weierstrass curve Wd W y 2 D x 3 4dx and the Jacobi quartic curve Ed;0 is given by ' W Ed;0 ! Wd ;

.0; 1/ 7! P1 ; .0; 1/ 7! .0; 0/;  y C 1 y C 1 .x; y/ 7! 2 2 ; 4 3 ; x x

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

4

S. Duquesne, N. El Mrabet and E. Fouotsa

'

1

W Wd ! Ed;0 ;

P1 7! .0; 1/; .0; 0/ 7! .0; 1/;  2x 2x 3 y 2  ; : .x; y/ 7! y y2

From now on and for efficiency reasons, we adopt, for the first time in the compuY tation of pairings, a specific representation of points, namely .x; y/ D . X Z ; Z 2 /. The curve Ed;0 is then equivalent to Ed W Y 2 D dX 4 C Z 4 : The addition and doubling formulas on Ed are as follows. The point addition ŒX3 W Y3 W Z3  D ŒX1 W Y1 W Z1  C ŒX2 W Y2 W Z2  on Ed is given by X3 D X12 Z22

Z12 X22 ;

Z3 D X1 Z1 Y2 Y3 D .X1 Z2

X2 Z2 Y1 ; X2 Z1 /2 Y1 Y2 C .Z1 Z2 /2 C d.X1 X2 /2




Z32 :

The point doubling ŒX3 W Y3 W Z3  D 2ŒX1 W Y1 W Z1  on Ed is given by X3 D 2X1 Y1 Z1 ;

Z3 D Z14

dX14 ;

Y3 D 2Y14

Z32 :

The birational equivalence between the projective model Ed W Y 2 D dX 4 C Z 4 and the Weierstrass curve Wd W y 2 D x 3 4dx becomes ' W Ed ! Wd ;

'

1

W Wd ! Ed ;

Œ0 W 1 W 1 7! P1 ; Œ0 W 1 W 1 7! .0; 0/;  Y C Z 2 Z.Y C Z 2 /  ;4 ; ŒX W Y W Z 7! 2 X2 X3 P1 7! Œ0 W 1 W 1; .0; 0/ 7! Œ0 W 1 W 1; .x; y/ 7! Œ2x W 2x 3

y 2 W y:

The Sage software code to verify the correctness of our formulas is available at [26]. 2.2

Pairings on elliptic curves

In this section, we first recall the Tate pairing. Then, the notion of twists of elliptic curves is defined to recall the definition of the Ate pairing and its variations. Let E be an elliptic curve defined over a finite field Fq . The neutral element of the additive group law defined on the set of rational points of E is denoted by P1 . Let r be a large prime divisor of the group order ]E.Fq / and k be the embedding

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

5

Efficient computation of pairings on Jacobi quartic elliptic curves

degree of E with respect to r, i.e., the smallest integer such that r divides q k 1. The set E.Fq /Œr D ¹P 2 E.Fq / W ŒrP D P1 º is the set of r-torsion points with coordinates in an algebraic closure Fq of Fq , where Œ  W P 7! ŒrP is the endomorphism defined on E.Fq / which consists of adding P to itself r times. The integer k is also the smallest integer such that E.Fq /Œr  E.Fq k /; this is the main property that we use in this work. 2.2.1

The Tate pairing

Consider a point P 2 E.Fq /Œr and the divisor D D r.P / r.P1 /, then according to [28, Corollary 3.5, p. 67], D is principal and so there is a function fr;P with divisor Div.fr;P / D D. Let Q be a point of order r with coordinates in Fq k and r be the group of r-th roots of unity in Fqk . The reduced Tate pairing er is a bilinear and non-degenerate map defined as er W E.Fq /Œr  E.Fq k /Œr ! r ;

.P; Q/ 7! fr;P .Q/

qk 1 r

:

The value fr;P .Q/ can be determined efficiently using Miller’s algorithm [25]. Indeed, for any integer i , consider the divisor Di D i.P / .ŒiP / .i 1/.P1 /. We observe that Di is a principal divisor and so there is a function fi;P such that Div.fi;P / D i.P / .Œi P / .i 1/.P1 /. Observe that for i D r one has Dr D r.P /

r.P1 / D Div.fr;P /:

Thus, to obtain the value of fr;P .Q/, it suffices to apply an iterative algorithm using an addition chain for r, that is, a sequence .1; i1 ; i2 ; : : : ; r/ such that each ik is the sum of two previous terms of the sequence. This is justified by the fact that the functions fi;P satisfy the following conditions: f1;P D 1 and

fi Cj;P D fi;P fj;P hŒiP;Œj P ;

(2.1)

where hR;S denotes a rational function such that Div.hR;S / D .R/ C .S/

.S C R/

.P1 /;

with R and S two arbitrary points on the elliptic curve. In the case of elliptic R;S , where `R;S is the straight line defining curves in Weierstrass form, hR;S D v`RCS R C S and vRCS is the corresponding vertical line passing through R C S . Miller uses the double-and-add method for the addition chains for r and the properties of fi;P to compute fr;P .Q/ (for more details on addition chains see [2, Chapter 9]). The Miller algorithm that computes efficiently the pairing of two points is given in Algorithm 1.

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

6

S. Duquesne, N. El Mrabet and E. Fouotsa

Algorithm 1 The Miller algorithm for the computation of the reduced Tate pairing. Input: P 2 E.Fq /Œr, Q 2 E.Fq k /Œr, r D .1; rn Output: The reduced Tate pairing of P and Q : 1: Set f 1 and R P 2: for i D n 2 down to 0 do 3: f f 2
hR;R .Q/ 4: R 2R 5: if ri D 1 then 6: f f
hR;P .Q/ 7: R RCP 8: end if 9: end for k 10: return f .q 1/=r

2 ; : : : ; r1 ; r0 /2 . k fr;P .Q/.q 1/=r

More information on pairings can be found in [11, 15]. Let us now define twists of elliptic curves and specialize to the case of Jacobi quartic curves. This notion of twists enables us to work on smaller base fields for the computation of pairings. 2.2.2

Twists of elliptic curves

A twist of an elliptic curve E defined over a finite field Fq is an elliptic curve E 0 defined over Fq that is isomorphic to E over an algebraic closure of Fq . The smallest integer ı such that E and E 0 are isomorphic over Fq ı is called the degree of the twist. Let E W y 2 D x 3 C ax C b be an elliptic curve in Weierstrass form defined over Fq . The equation defining the twist E 0 has the form y 2 D x 3 C a! 4 x C b! 6 , where ! belongs to an extension Fq k of Fq and the isomorphism between E 0 and E is W E 0 ! E;

.x 0 ; y 0 / 7! .x 0 =! 2 ; y 0 =! 3 /:

More details on twists can be found in [8]. 2.2.3

Twist of Jacobi quartic curves

To obtain the twist of the Jacobi quartic curve Y 2 D dX 4 C Z 4 , we use the birational maps defined in Section 2.1 and the twist of Weierstrass curves defined above. Let k be an integer divisible by 4.

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

Efficient computation of pairings on Jacobi quartic elliptic curves

7

Definition 2.1 ([10]). A quartic twist of the Jacobi quartic curve Y 2 D dX 4 C Z 4 defined over the extension Fq k=4 of Fq is a curve given by the equation Ed! W Y 2 D d! 4 X 4 C Z 4 ; where ! 2 Fq k is such that ! 2 2 Fq k=2 , ! 3 2 Fq k nFq k=2 and ! 4 2 Fq k=4 . In other terms ¹1; !; ! 2 ; ! 3 º is a basis of Fq k as a vector space over Fq k=4 . Proposition 2.2. Let Ed! defined over Fq k=4 be a twist of Ed . The Fq k -isomorphism between Ed! and Ed is given by W Ed! ! Ed ;

ŒX W Y W Z 7! Œ!X W Y W Z:

In Sections 2.3 and 3.1, we explain why twists are useful for an efficient computation of pairings. 2.2.4

Ate pairing and its variations

In this section, we briefly define Ate and twisted Ate pairings. The results in this section are very well described in the original article of Hess et al. [18]. We recall that fi;R is the function with divisor Div.fi;R / D i.R/

.ŒiR/

.i

1/.P1 /:

Let q W E.Fq / ! E.Fq /;

.x; y/ 7! .x q ; y q /

be the Frobenius endomorphism on the curve, and t be its trace. The characteristic polynomial of q is X 2 tX C q, see [31, Chapter 4]. Using the fact that q satisfies its characteristic polynomial (Cayley–Hamilton theorem), we have the following equality: q2 tq C q D 0: The relation between the trace t of the Frobenius endomorphism and the group order is given by ]E.Fq / D q C 1 t I see [31, Theorem 4.3]. The Frobenius endomorphism q has exactly two eigenvalues. Indeed, using the Lagrange theorem in the multiplicative group .Fq ; /, it is clear that 1 is an eigenvalue. We then use the characteristic polynomial to conclude that q is the other one. This enables us to consider P 2 G1 D E.Fq /Œr \ Ker.q

Œ1/ D E.Fq /Œr;

Q 2 G2 D E.Fq /Œr \ Ker.q

Œq/:

The Ate pairing is defined as follows:

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

8

S. Duquesne, N. El Mrabet and E. Fouotsa

Definition 2.3 (Ate pairing). The reduced Ate pairing is the map eA W G2  G1 ! r ; where T D t

.Q; P / 7! fT;Q .P /

qk 1 r

;

1.

The following theorem gives some properties of the Ate pairing, in particular its relation with the Tate pairing. This relation shows that the Ate pairing is a power of the Tate pairing and therefore is a pairing. A complete proof can be found in [18]. Theorem 2.4 ([18]). Let N D gcd.T k

1; q k

eA .Q; P /rc D .fr;Q .P /.q P where c D ki D01 T k 1 i q i  kq k ing eA is non-degenerate.

1

1/ and T k k

1/=r LN

/

1 D LN . We have

;

mod r. Moreover, for r − L, the Ate pair-

Remark 2.5. The Tate pairing is defined on G1  E.Fq k /, while the Ate pairing is defined on G2  G1 with G2  E.Fq k /. This means that during the execution of the Miller algorithm in the computation of the Ate pairing, the point addition is performed in an extension field of Fq whereas it was performed in Fq in the case of the Tate pairing. As the arithmetic over Fq k is much more expensive than the arithmetic over Fq , each step of the Ate pairing is more expensive than a step of the Tate pairing. However the Miller loop length in the case of the Ate pairing is log2 T which is less (generally the half) than log2 r, the loop length for the Tate pairing. Observe that if the Ate pairing were defined on G1  G2 , then it would be faster than the Tate pairing since its Miller loop length would approximately be halved. This remark leads to the following definition of the twisted Ate pairing [18]. Definition 2.6 (Twisted Ate pairing [18]). Assume that E has a twist of degree ı and m D gcd.k; ı/. Let e D k=m and Te D T e mod r. Then the reduced twisted Ate pairing is defined by eTe W G1  G2 ! r ;

.P; Q/ 7! fTe ;P .Q/

qk 1 r

:

As in the case of the Ate pairing, the following theorem ensures that eTe is a pairing.

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

Efficient computation of pairings on Jacobi quartic elliptic curves

9

Theorem 2.7 ([18]). For the Tate pairing eT .P; Q/ we have eTe .P; Q/rc D eT .P; Q/LN ; P 1 e.m 1 i/ ei where c D m q  mq e.m i D0 T twisted Ate pairing eTe is non-degenerate.

1/

mod r. Moreover, for r − L, the

Remark 2.8. The reduced Tate and twisted Ate pairings are defined on G1  E.Fq k / and G1  G2 , respectively. So they have the same complexity for each iteration of the Miller algorithm, but the Miller loop parameter is T e mod r for the reduced twisted Ate pairing and r for the Tate pairing. Consequently, the twisted Ate pairing will be more efficient than the reduced Tate pairing only for curves with trace t such that T e mod r is significantly less than r. 2.2.5

Optimal pairings

The reduction of Miller’s loop length is an important way to improve the computation of pairings. The latest work is a generalized method to find the shortest loop when possible, which leads to the concept of optimal pairing [29]. Indeed, observe that if k is the embedding degree with respect to r, then r j q k 1 but r − q i 1 for any 1  i < k. This implies that r j ˆk .q/, where ˆk is the k-th cyclotomic polynomial. Since T  q mod r, where T D t 1, we have r j ˆk .T /. More generally, if we consider the Ate-i pairing, which is a generalization of the Ate pairing with Miller function fTi ;Q , where Ti  q i mod r, then r j ˆk=g .Ti /;

where g D gcd.i; k/;

so that the minimal value for Ti is r 1='.k=g/ (where ' is Euler’s totient function) and the lowest bound is r 1='.k/ , obtained for g D 1. We then give the following definition of an optimal pairing, which is a pairing that can be computed with the smallest number of iterations in the Miller loop. Definition 2.9 ([29]). Let e W G1  G2 ! GT be a non-degenerate, bilinear pairing with jG1 j D jG2 j D jGT j D r, where the field of definition of GT is Fq k . Then e is called an optimal pairing if it can be evaluated with about at most .log2 r/='.k/ C ".k/ Miller iterations, where ".k/ is less than log2 k. The lowest bound is attained for several families of elliptic curves. The following theorem gives the construction of an optimal pairing. Theorem 2.10 ([29, Theorem 4]). Let E be an elliptic curve defined over Fq . The embedding degree with respect to a large integer r dividing the order of the group

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

10

S. Duquesne, N. El Mrabet and E. Fouotsa

]E.FP q / is denoted k. Let  D mr be a multiple of r such that r − m and write  D li D0 ci q i . Remember hR;S is the function with divisor Div.hR;S / D .R/ C .S/

.S C R/

.P1 /

and R, S being two arbitrary points on the elliptic curve E. If si D the map eo W G2  G1 ! r defined as .Q; P / 7!

Y l

qi fci ;Q .P /

i D0




lY 1

 qkr

Pl

j Di cj q

j,

1

hŒsiC1 Q;Œci q i Q .P /

i D0

defines a bilinear pairing. Furthermore, the pairing is non-degenerate if mkq k ¤

qk r

l 1 X
i ci q i

1

mod r:

i D0

In Section 5, we apply Theorem 2.10 to provide an example of optimal pairing on Jacobi quartic curves of embedding degree 8. Observe that the computation of optimal pairings follows the same approach as the computation of the Ate pairing. 2.3

Use of twists for efficient computation of pairings

For the applications of twists, observe that the point addition of the Tate pairing, Ate pairing, twisted Ate or optimal pairing on a curve of embedding degree k takes the form P 2 E.Fq / and Q 2 E.Fq k /. In the case of the Tate pairing and the twisted Ate pairing, the evaluation of the Miller function is done at the point Q in the full extension Fq k whereas in the case of Ate and optimal Ate pairings, it is the point addition that is performed there. In both cases, this can affect the efficiency of computations. However many authors (see, e.g., [8, 13]) have shown that one can use the isomorphism between the curve and its twist of degree ı to take the point Q in a particular form which allows to perform some computations more efficiently in the subfield Fq k=ı instead of Fq k . More precisely, if E is an elliptic curve defined over Fq , E 0 its twist of degree ı defined over Fq k=ı and W E 0 ! E the isomorphism between E and E 0 , then the point Q is taken as the image by of a point on the twisted curve E 0 .Fq k=ı /. In this case, the present form of Q allows many computations either for point addition or evaluation of the Miller functions to be done more efficiently in the subfield Fq k=ı . For example in the present case of this work and from Proposition 2.2, instead of taking Q with full coordinates in Fq k , it can be taken in the form Œ!X W Y W Z, where X; Y; Z 2 Fq k=4 . In this work, we use this technique for the computation of the Tate, Ate, twisted Ate

Authenticated | [email protected] author's copy Download Date | 7/13/14 12:15 PM

Efficient computation of pairings on Jacobi quartic elliptic curves

11

and optimal pairings. As a consequence, the twists can be used to eliminate the denominator of the function hR;S in the Miller algorithm. See Section 3.1 for applications.

3 The Tate pairing and twisted Ate pairing computation on Ed W Y 2 D dX 4 C Z 4 In [30], Wang et al. considered pairings on Jacobi quartics and gave the geometric interpretation of the group law. We use a different way to obtain the formulas, namely the birational equivalence between Jacobi quartic curves and Weierstrass curves. We specialize to the particular curves Ed W Y 2 D dX 4 C Z 4 to obtain better results for these up to 39% improvement compared to the results in [30]. The results in this section are from [10]. Given two points P1 D .x1 ; y1 / and P2 D .x2 ; y2 / on the Weierstrass curve Wd W y 2 D x 3 4dx such that P3 D .x3 ; y3 / D P1 C P2 , consider R D ŒX1 W Y1 W Z1 ;

S D ŒX2 W Y2 W Z2 ;

ŒX3 W Y3 W Z3  D ŒX1 W Y1 W Z1  C ŒX2 W Y2 W Z2 ; the corresponding points on the Jacobi quartic Ed . To derive the Miller function hR;S .X; Y; Z/ for Ed , we first write the Miller function hP1 ;P2 .x; y/ on the Weierstrass curve Wd : hP1 ;P2 .x; y/ D where D

8 < yx2

y1 x1

if P1 ¤ P2 ;

4d 2y1

if P1 D P2 ;

2

:

y

3x12

x ˛ ; x x3

and

˛ D y1

x1 :

Using the birational equivalence, the Miller function for the Jacobi quartic Ed W Y 2 D dX 4 C Z 4 is given by hR;S .X; Y; Z/ D hP1 ;P2 .'.X; Y; Z//. We have hR;S .X; Y; Z/ D

4X32 X 2 2X32 .Y C Z 2 / 2X 2 .Y3 C Z32 /  ZY C Z 3 1  Y C Z 2 
 X3 2 X2

˛ ; 4

where D

8